查字典
https://www.cloudflare.com/zh-tw/learning/
SSL/TLS/HTTPS
Secure Sockets Layer (SSL) is a security protocol that provides privacy, authentication, and integrity to Internet communications. SSL eventually evolved into Transport Layer Security (TLS).
一種網路傳輸的加密方法,由網景公司1995年開發。為了穿書資料的隱私與安全所生。
TLS is a security protocol that provides privacy and data integrity for Internet communications. Implementing TLS is a standard practice for building secure web apps.
新版 SSL,改名字是其它考量。
典型的用途是加密 web app 與 servre 的通訊,例如 email, messaging, and voice over IP (VoIP)。
HTTPS 在 HTTP 上實作了 SSL/TLS 加密。
當使用者造訪了有SSL/TSL憑證的網站,會得到一把公鑰,接著進行SSL/TLS handshake。
WHY
TLS 做了什麼?
加密,經由三方傳遞資料時,資訊不被第三方讀取
資訊驗證,確保取得的就是請求的資訊
資訊正確完整,確保資訊不被竄改
如果沒有辦法保證這三點的網站會怎樣? https://www.cloudflare.com/zh-tw/learning/ssl/why-use-https/
常見的資安攻擊手法 https://www.cloudflare.com/zh-tw/learning/security/what-is-web-application-security/
TLS怎麼做的?
來源網站必須安裝TLS憑證,當使用者造訪一個有 TLS 憑證的網站會發起 TLS handshake...
加密
對稱加密
非對稱加密
Plaintext + key = ciphertext:
Ciphertext + key = plaintext:
(This is an example of symmetric encryption, in which only one key is used.)
*Using Blowfish algorithm, CBC mode, Base64 encoding.
數位簽章(Digital Signature)
相反,如果某一使用者使用他的私鑰加密明文,任何人都可以用該使用者的公鑰解密密文;由於私鑰只由該使用者自己持有,故可以肯定該檔案必定出自於該使用者;公眾可以驗證該使用者發布的資料或檔案是否完整、中途有否曾被篡改,接收者可信賴這些數據、檔案確實來自於該使用者,這被稱作數位簽章
http://www.youdzone.com/signature.html
RSA 數位簽章
1.傳輸的是
文件
一段私鑰加密的雜湊過的文件(=數位簽章)
2.用公鑰可以
解密數位簽章得到雜湊過的文件
3.用約定好的 hash function 驗證
https://wetest.qq.com/lab/view/110.html
hash function 寫在證書上
公鑰可以從CA (憑證發行公司拿到,會裝在瀏覽器裡)或憑證本身拿到
What Does a Digital Signature Look Like?
為軟體加上數位簽章(Java)
Certificate Authority (CA)
訊息發布者可以使用數位簽章:訊息發布的目的是讓人們知道訊息,雖然沒必要對消息進行加密,但是必須排除有人偽裝訊息發布者發布假消息的風險,這時訊息發布者就可以使用數位簽章。而對明文消息施加的簽名,稱為明文簽名(clearsign)。
軟體的作者可以加上數位簽章,以便用戶下載後對簽名進行驗證。
認證機構(CA)也可以為用戶的公鑰加上數位簽章生成證書,以便人們確認用戶公鑰的合法性。
SSL/TLS使用伺服器證書(加上了數位簽章的伺服器公鑰)認證伺服器身份是否合法。
Certificate Authority (CA) / Public Key Infrastructures (PKI)
How does the digital signature verification process work?
the PKI is, essentially, a bunch of Certification Authorities.
In a simple setup, we would have a central directory of the public keys of everybody; imagine it as a big marble slab in the middle of a public park, with the public keys engraved on it. Anybody can have a look at it, and be sure that it is "the genuine thing" because you cannot simply paint over something which was engraved.
在中央公園有一個大禮石版上面刻了一堆公鑰,保證這些可靠,大家都可以去拿
怎麼去在石版上找到自己要的哪一把公鑰=>證書
證書是CA發的
The role of the CA is, precisely, to issue certificates
During the initial phases of the connection between your browser and the webserver, the server sends its certificate. The browser then verifies the certificate against its list of hardcoded CA public keys (which have been included by courtesy of the browser (i.e. Firefox) or operating system itself (i.e. MacOS). Once the browser has verified the certificate, it knows that the public key sent by the server, in fact, belongs to the server, and uses it to establish the confidential tunnel with the server.
Included CA Certificates (HTML)
Last updated
